Webinar Wrap-Up: Preventing Payment Fraud in Higher Ed

We recently hosted a webinar on “Payment Fraud Trends in Higher Ed and How to Stop Them at the Browser,” where we explored payment fraud trends and security solutions in higher education.

The presentation also focused on the escalating threat of e-skimming attacks, which exploit vulnerabilities in JavaScript and third-party scripts to steal sensitive data from payment pages.

The session emphasized the importance of adhering to updated Payment Card Industry Data Security Standard (PCI DSS) requirements, particularly requirements 6.4.3 and 11.6.1, which mandate inventory, justification, and integrity assurance of all scripts.

Key Takeaways

Here are the key takeaways focusing on critical payment fraud trends, specifically on e-skimming attacks in the higher education sector.

1. The Root Cause is JavaScript: The fundamental security issue stems from JavaScript, the programming language that makes web pages interactive, because it has no native security controls. JavaScript can perform any action and behave in any way on over 97% of all websites where it is running, meaning any code, regardless of origin, can do anything to the data inside the web page.
2. Understanding Client-Side Attacks: These attacks are often referred to as e-skimming (PCI terminology) or Magecart (a popular “brand name” for these attacks). Attacks happen inside the web page, after traditional security controls like firewalls have already completed their jobs.
3. The Supply Chain Effect: The majority of code running on a web page, often about 82%, is outside your institution’s direct control. This third-party JavaScript often loads other code (fourth- and fifth-party scripts) dynamically, creating a complex supply chain that is difficult to inventory or assure the integrity of manually. Attackers exploit this chain to steal sensitive information.
4. Mandatory PCI DSS Compliance Requirements: The PCI DSS requirements 6.4.3 and 11.6.1 transitioned from best practice to required on March 31, 2025. Find guidance for SAQ A merchants and entities assessing with SAQs A-EP, D, or D-SP, and as a Report on Compliance.
5. PCI Requirements Summary: To be compliant, merchants and service providers must:
   • Inventory all payment page scripts.
   • Confirm scripts are authorized and provide a written business or technical justification for each.
   • Implement a method to ensure the integrity of each script.
   • Monitor HTTP response headers retrieved from the payment page.
6. ScriptSafe Solution: ScriptSafe, powered by Source Defense, addresses these requirements by monitoring and controlling the behavior of JavaScript, rather than relying solely on file changes or hashing techniques like Subresource Integrity (SRI) or Content Security Policy (CSP). The solution can isolate foreign scripts and actively block harmful behaviors, like attempting to steal card numbers, while still allowing beneficial functions to run.

Actionable Steps

For institutions looking to achieve compliance quickly and secure their environments against client-side attacks, we recommend the following steps:

1. Define Your Scope (Discovery Phase): Understand what payment pages and scripts are currently in scope for PCI DSS. CampusGuard can help define this scope.
2. Initiate an Evaluation: We can create a testing environment for your payment pages quickly. If you are seeking a solution, evaluations of ScriptSafe can be completed in as little as a week.
3. Streamline Onboarding: Work with CampusGuard to leverage existing knowledge of your environment and ensure the work completed during the evaluation, such as justifications and behavior acknowledgments, can be promoted directly into production, avoiding duplicate effort.
4. Achieve Compliance Rapidly: Deployment of the ScriptSafe solution can be accomplished very quickly, often taking less than a week on average, accelerating the process from “zero to compliant.”
5. Request a Demo/Start Evaluation: If you are starting today, reach out to your CampusGuard relationship manager about ScriptSafe, or contact us for a free demo.
6. Document Everything: The reporting capabilities provided by ScriptSafe can generate zip archives containing all necessary compliance documentation, which can be attached to your assessment to satisfy requirements 6.4.3 and 11.6.1.

Final Thoughts

Although the webinar mainly addressed PCI DSS, tackling e-skimming threats can greatly benefit your institution’s overall compliance efforts. This issue is also significant under regulations such as GDPR and HIPAA, particularly when integrating Facebook Connect into healthcare websites like ‘find a doctor’ platforms.

We strongly urge you to move forward with securing your client-side environments, as industry experts speculate that the current, limited scope of PCI requirements, focused mainly on payment pages, will likely expand in future versions of DSS to encompass the security of the entire web application, where payment information may be entered at any point.

ScriptSafe actively monitors and controls script behavior to achieve compliance and defeat client-side attacks. Contact us to request a demo or get started.